Forwarding problem; Forward Last?
Mark Andrews
Mark_Andrews at isc.org
Fri Feb 8 10:20:08 UTC 2008
> You are right, I didn't apply it to the zone you specified;
> I first disabled forwarding in the ad.sub.company.com zone by setting
> forwarders to an empty list, which did not work.
>
> I then did the same with the sub.company.com zone, as you specified. I
> can't get it to work neither...
>
> As for made up names, there are rather strong confidentiality issues with
> my company. Let me put here a translation of my configurations files :
>
>
> /* named.conf */
>
> forwarders { 10.0.0.1; 10.0.0.2; };
>
> zone sub.company.com {
> type master;
> forwarders { }; #because you asked it
> file "master/myzonefile";
> };
Which will work. Your testing methods must be flawed or there
is something else you are not telling us.
Mark
> # note that the ad.sub.company.com isn't defined as such. I defined it to
> put the empty forwarder list when I read your above mail.
>
> /* myzonefile */
> /* skipping SOA block */
>
> ad.sub.company.com. IN NS ns1.ad.sub.company.com.
> ns1.ad.sub.company.com. IN A 192.168.0.1
>
>
> This setup seems, as far as literature goes, a state of the art setup for
> delegation of a zone.
> And btw yes I am probably "not applying [something] correctly". I have
> read through many mailing list, docs, books and couldn't find an answer,
> hence why I am posting her.
>
> bind-users-bounce at isc.org wrote on 07/02/2008 23:03:01:
>
> >
> > > I was pretty sure I tested that, but I double checked anyway.
> > > It doesn't work; Or at least, it forces me to define the zone as a
> slave
> > > (or forward only) zone in named.conf, wich is not the solution I
> > > envisioned.
> > > I just want to define a NS record and the corresponding A record for
> > > delegation, wich works well as long as I can't forward to my main
> > > forwarders.
> >
> > It does work. You are just not applying it correctly.
> > Please look at the example below and apply it to the
> > corresponding zone in you heirachy.
> >
> > This is a perfect example of why one should not hide zone
> > names etc. when asking for help. It makes it hard to
> > do the examples when one is using made up names.
> >
> > Mark
> >
> > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:
> > >
> > > >
> > > > > Hi,
> > > > > (needless to say I have been looking for the answer for days
> before
> > > > > posting here).
> > > > >
> > > > > I am in the process of replacing Novell Netware's repackaged Bind
> by a
> > >
> > > > > standard Linux Bind build.
> > > > > My setup is quite simple :
> > > > >
> > > > > Bind is authoritative for sub.company.com. It uses 2 company.com
> > > > > forwarders (which doesn't know anything about our zone and/or
> network
> > > > > apart from a couple A records it holds for external
> sub.company.com
> > > > > access. That's stupid but that's how they do.)
> > > > > There is an active directory, which is named -you guessed it
> allready-
> > >
> > > > > ad.sub.company.com. Bind is not a slave for that zone, it just
> holds a
> > > NS
> > > > > and it's glue record, as follow
> > > > > ad NS ns.ad.sub.company.com.
> > > > > ns.ad.sub.company.com. A 192.168.0.1
> > > > >
> > > > > My problem is the following: when my forwarders are down or
> undefined
> > > and
> > > > > I query Bind for a record in ad.company.com, it asks
> > > ns.ad.sub.company.com
> > > > > and answer with the right answer. (read : if the forwarders are
> > > defined
> > > > > but not reachable for some reasons, like FW blocking access, the
> > > cascading
> > > > > works).
> > > > > However when Bind can reach the forwarders, it just asks them for
> > > records
> > > > > in ad domain; they answer with a no such domain and resolution
> stops
> > > > > there.
> > > > >
> > > > > Reading Bind's documentation (and O'reilly's book, 5th edition) I
> am
> > > not
> > > > > missing anything obvious about delegation. It might have to do
> with my
> > >
> > > > > forwarder being unaware of my setup but I don't see quite how (and
> I
> > > can't
> > > > > do anything about it).
> > > > > I have not tried to make bind a slave for the AD zone. I would
> like
> > > the
> > > > > above setup to work before trying other setups.
> > > > >
> > > > > Any help would be apreciated,
> > > >
> > > > turn forwarding off for the sub zone.
> > > >
> > > > zone sub.company.com {
> > > > ....
> > > > forwarders { /* empty */ };
> > > > };
> > > > >
> > > > >
> > > > --
> > > > Mark Andrews, ISC
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > PHONE: +61 2 9871 4742 INTERNET:
> Mark_Andrews at isc.org
> > > >
> > > >
> > >
> > >
> > >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
> >
> >
>
> --=_alternative 0035C92DC12573E9_=
> Content-Type: text/html; charset="US-ASCII"
>
>
> <br><font size=2 face="sans-serif">You are right, I didn't apply it to
> the zone you specified;</font>
> <br><font size=2 face="sans-serif">I first disabled forwarding in the ad.sub.
> company.com
> zone by setting forwarders to an empty list, which did not work.</font>
> <br>
> <br><font size=2 face="sans-serif">I then did the same with the sub.company.c
> om
> zone, as you specified. I can't get it to work neither...</font>
> <br>
> <br><font size=2 face="sans-serif">As for made up names, there are rather
> strong confidentiality issues with my company. Let me put here a translation
> of my configurations files :</font>
> <br>
> <br>
> <br><font size=2 face="sans-serif">/* named.conf */</font>
> <br>
> <br><font size=2 face="sans-serif">forwarders { 10.0.0.1; 10.0.0.2; };</font>
> <br>
> <br><font size=2 face="sans-serif">zone sub.company.com {</font>
> <br><font size=2 face="sans-serif"> type
> master;</font>
> <br><font size=2 face="sans-serif"> forwarders
> { }; #because you asked it</font>
> <br><font size=2 face="sans-serif"> file
> "master/myzonefile";</font>
> <br><font size=2 face="sans-serif">};</font>
> <br>
> <br><font size=2 face="sans-serif"># note that the ad.sub.company.com isn't
> defined as such. I defined it to put the empty forwarder list when I read
> your above mail.</font>
> <br>
> <br><font size=2 face="sans-serif">/* myzonefile */</font>
> <br><font size=2 face="sans-serif">/* skipping SOA block */</font>
> <br>
> <br><font size=2 face="sans-serif">ad.sub.company.com.
> IN NS ns1.ad.sub.company.com.</font>
> <br><font size=2 face="sans-serif">ns1.ad.sub.company.com.
> IN A 192.168.0.1</font>
> <br>
> <br>
> <br><font size=2 face="sans-serif">This setup seems, as far as literature
> goes, a state of the art setup for delegation of a zone.</font>
> <br><font size=2 face="sans-serif">And btw yes I am probably "not
> applying [something] correctly". I have read through many mailing
> list, docs, books and couldn't find an answer, hence why I am posting her.</f
> ont>
> <br>
> <br><tt><font size=2>bind-users-bounce at isc.org wrote on 07/02/2008 23:03:01:<
> br>
> <br>
> > <br>
> > > I was pretty sure I tested that, but I double checked anyway.<br>
> > > It doesn't work; Or at least, it forces me to define the zone
> as a slave <br>
> > > (or forward only) zone in named.conf, wich is not the solution
> I <br>
> > > envisioned.<br>
> > > I just want to define a NS record and the corresponding A record
> for <br>
> > > delegation, wich works well as long as I can't forward to my
> main <br>
> > > forwarders.<br>
> > <br>
> > It does work. You are just not applying it correctly.
> <br>
> > Please look at the example below and apply it to the<br>
> > corresponding zone in you heirachy.<br>
> > <br>
> > This is a perfect example of why one should not hide
> zone<br>
> > names etc. when asking for help. It makes it hard
> to<br>
> > do the examples when one is using made up names.<br>
> > <br>
> > Mark<br>
> > <br>
> > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:<br>
> > > <br>
> > > > <br>
> > > > > Hi,<br>
> > > > > (needless to say I have been looking for the answer
> for days before <br>
> > > > > posting here).<br>
> > > > > <br>
> > > > > I am in the process of replacing Novell Netware's repacka
> ged
> Bind by a <br>
> > > <br>
> > > > > standard Linux Bind build.<br>
> > > > > My setup is quite simple :<br>
> > > > > <br>
> > > > > Bind is authoritative for sub.company.com. It uses
> 2 company.com <br>
> > > > > forwarders (which doesn't know anything about our zone
> and/or network <br>
> > > > > apart from a couple A records it holds for external
> sub.company.com <br>
> > > > > access. That's stupid but that's how they do.)<br>
> > > > > There is an active directory, which is named -you guessed
> it allready- <br>
> > > <br>
> > > > > ad.sub.company.com. Bind is not a slave for that zone,
> it just holds a <br>
> > > NS <br>
> > > > > and it's glue record, as follow<br>
> > > > > ad NS ns.ad.sub.c
> ompany.com.<br>
> > > > > ns.ad.sub.company.com. A
> 192.168.0.1<br>
> > > > > <br>
> > > > > My problem is the following: when my forwarders are
> down or undefined <br>
> > > and <br>
> > > > > I query Bind for a record in ad.company.com, it asks
> <br>
> > > ns.ad.sub.company.com <br>
> > > > > and answer with the right answer. (read : if the forwarde
> rs
> are <br>
> > > defined <br>
> > > > > but not reachable for some reasons, like FW blocking
> access, the <br>
> > > cascading <br>
> > > > > works).<br>
> > > > > However when Bind can reach the forwarders, it just
> asks them for <br>
> > > records <br>
> > > > > in ad domain; they answer with a no such domain and
> resolution stops <br>
> > > > > there.<br>
> > > > > <br>
> > > > > Reading Bind's documentation (and O'reilly's book,
> 5th edition) I am <br>
> > > not <br>
> > > > > missing anything obvious about delegation. It might
> have to do with my <br>
> > > <br>
> > > > > forwarder being unaware of my setup but I don't see
> quite how (and I <br>
> > > can't <br>
> > > > > do anything about it).<br>
> > > > > I have not tried to make bind a slave for the AD zone.
> I would like <br>
> > > the <br>
> > > > > above setup to work before trying other setups.<br>
> > > > > <br>
> > > > > Any help would be apreciated,<br>
> > > > <br>
> > > > turn forwarding off for the sub zone.<br>
> > > > <br>
> > > > zone sub.company.com {<br>
> > > > ....<br>
> > > > forwarders { /* empty */ };<br>
> > > > };<br>
> > > > > <br>
> > > > > <br>
> > > > -- <br>
> > > > Mark Andrews, ISC<br>
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > PHONE: +61 2 9871 4742
> INTERNET: Mark_Andrews at isc.org<br>
> > > > <br>
> > > > <br>
> > > <br>
> > > <br>
> > > <br>
> > -- <br>
> > Mark Andrews, ISC<br>
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > PHONE: +61 2 9871 4742
> INTERNET: Mark_Andrews at isc.org<br>
> > <br>
> > <br>
> </font></tt>
> --=_alternative 0035C92DC12573E9_=--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list